Prior to taking the helm of Armorize, Caleb Sima was co-founder and CTO to SPI Dynamics, the world’s leading and de facto standard for Web application security scanning. After being acquired by HP, Caleb was made HP’s Chief Technologist – Application Security Center, where he helped HP build a SaaS version of HP’s application security offerings. He also directed the lifecycle of HP’s Web application security solutions where he led a team of accomplished security experts that have received worldwide recognition for identifying new security threats and devising advanced countermeasures. Caleb has been engaged in the Internet security arena since 1996, a time when the concept of Internet security was just emerging. After being a security engineer for S1, he joined Internet Security Systems’ (later IBM) elite X-Force research and development team, where he founded the first pen testing team and bootstrapped the company’s enterprise security assessment business.
SM: Caleb, let’s begin by reviewing your background. Where are you from? Where does your story begin?
CS: I was born in Hawaii and moved to Atlanta when I was seven. I grew up in Atlanta and did not leave there until last year, when I moved to San Francisco. When I was a kid I got into a lot of trouble. I was very rebellious, and I was constantly grounded. I was not allowed to watch TV or play with my friends. Most of the time I was stuck in my room and was only allowed to read books.
My mom and dad had separated and my dad was living in Florida. I would live with my dad during the summer and my mom during the school year and the winter. My dad ended up getting a computer, and he told me that if I was good I would be allowed to play on the computer. At the time I started playing around with computers because I had nothing else to do. I learned how to change the background and some basic things. My dad had put a password on his account, and I wanted to figure out how to get past the password. It was an old version of Windows, and I figured out that if you just hit the escape key on the keyboard it would bypass the login. That is when I really started getting into computers.
This was all prior to the Internet. At the time, bulletin board systems (BBS) were the big deal. I was at my dad’s computer shop and there was a pamphlet which listed the local BBS numbers. I went home and used our 14.4 modem to dial into a BBS. The BBS numbers brought you into something very similar to a forum system like you find on the Internet today. Somebody had left a file on one which described how to make free payphone calls. I was intrigued, so I read the file. It taught me that I could get a schematic from Radio Shack, solder on a few components, and then walk to a payphone and make free phone calls. I found that fascinating.
I went to Radio Shack and bought the equipment. I created what was called a “red box,” which would let you replicate the tone that the phone would make when money was placed into the payphone. You could play the tones into the mouth of the payphone and it would emulate money being placed into the payphone. I tried the device, and I was shocked when it actually worked.
SM: The idea of doing something secret and forbidden caught your fancy?
CS: Exactly. I was always rebellious as a kid. This allowed me to turn my rebelliousness into technology. I was twelve at the time. I was amazed that I was able to build that device, and that led me into phone phreaking, which was all about hacking phone systems. In high school kids would line up at lunch to use payphones. They would use them to dial home. I learned that on a payphone there are four lines. The auxiliary lines on payphones are used to determine is someone picks up the line or not. When you dial somebody on a payphone and nobody answered, your change would be returned.
If you dug into the ground and found those auxiliary lines the holding tray would always stay there. When somebody used a payphone and did not get the call connected, that person’s money would not be returned. At school, I would disconnect those auxiliary lines. Students would just walk away when their money was not returned. After lunch I would switch the lines back, call a number I knew would not pick up, and then all the change would get dumped into the coin tray. I would use that for lunch money and to buy my equipment. To me, that fact that I knew how to do those types of things was intoxicating. That ultimately led me to have an obsession with electronics and building electronic devices. That ultimately led me to software and software security.